Hi,
I've been looking into spam prevention on forms to prevent multiple requests being made to the form... captchas, throttling, banning IPs etc.
However, I don't understand how they can make so many requests at once to a form and populate it? Obviously they don't use AJAX as that doesn't work across different domains, my field names aren't populated via $_GET. Just an understanding would be helpful if someone could let me know.
Multiple Form Submissions
Moderator: General Moderators
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Multiple Form Submissions
Hey Tim,
Can you tell us more about what safegaurds are already in place in your forms? Are you sure the requests received are actually coming directly from your form and are not forged?
This is something I'm interested in as well
Can you tell us more about what safegaurds are already in place in your forms? Are you sure the requests received are actually coming directly from your form and are not forged?
This is something I'm interested in as well
Re: Multiple Form Submissions
Well it was a completely hypothetical question, I'm not getting any problems. I was more interested in how they actually do it, I mean, I know there is Javascript injection that can be used to populate a form, but how can this be automated and called many times when AJAX just doesn't work cross domains unless specified?
In answer to your question, what I have on my forms is an anti-CSRF token currently generated upon form loading, also a HTTP Referer check (I know this is easily forged, but another layer is always good... going by 'defense in depth' I read in a book by Chris Shiflett.) Currently I have a 6 character captcha as well generated from a substr of an MD5 hash of a random number - this is there on every form submittal but I'm going to look into causing it to appear after several form submittals from the same IP.
In answer to your question, what I have on my forms is an anti-CSRF token currently generated upon form loading, also a HTTP Referer check (I know this is easily forged, but another layer is always good... going by 'defense in depth' I read in a book by Chris Shiflett.) Currently I have a 6 character captcha as well generated from a substr of an MD5 hash of a random number - this is there on every form submittal but I'm going to look into causing it to appear after several form submittals from the same IP.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Multiple Form Submissions
Opening sockets to your server and sending POST requests. Crackers do not necessarily use the web browser to send requests.timWebUK wrote:I don't understand how they can make so many requests at once to a form and populate it?
Re: Multiple Form Submissions
Ah thanks, I was unfamiliar with sockets. I'll have a look into them! Seems quite interesting stuff.